Privacy Policy — Univisit
Last updated: 15 April 2026
Data Controller: IDtech SA, Belgium — https://www.idtech.be
Contact: info@idtech.eu
1. Introduction
IDtech SA ("we", "us", "IDtech") provides Univisit, a visitor management application used by organisations to schedule, check in, and manage visitors at their premises. This Privacy Policy explains what personal data we process, why, and what rights you have under the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Belgian data protection law.
Univisit is a business-to-business tool. When your employer or host organisation uses Univisit, that organisation is the Data Controller for the personal data processed through the app, and IDtech acts as Data Processor on their behalf under a Data Processing Agreement.
2. Data We Collect
Univisit processes only the data strictly necessary to manage visits:
| Category | Examples |
|---|---|
| Visitor identity | First name, last name, email address, company / organisation |
| Host information | Name, email, department of the employee receiving the visitor |
| Visit metadata | Visit purpose, scheduled date/time, actual check-in/check-out timestamps, location within the building |
| Authentication | Username, encrypted credentials (via Keycloak identity provider), role/permissions |
| Optional visitor photo | Captured at reception, only if the host organisation enables this feature |
| Device data | Device type and OS version, for security logs and error diagnostics |
We do not collect: precise location (GPS), contacts, advertising identifiers, health data, payment data, or any special category of data under Article 9 GDPR.
3. How We Use the Data (Purposes & Legal Basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Registering and managing scheduled visits | (b) Performance of a contract / (f) Legitimate interest of the host organisation in securing its premises |
| Authenticating users (employees, guards, admins) | (b) Contract / (c) Legal obligation (building security) |
| Generating and validating QR codes for check-in | (f) Legitimate interest in premises security |
| Visitor photos (where enabled) | (f) Legitimate interest in identification and access control |
| Security logs and audit trails | (c) Legal obligation / (f) Legitimate interest |
| Responding to data subject requests | (c) Legal obligation under GDPR |
We do not use personal data for advertising, profiling, or automated decision-making with legal effect.
4. Data Storage & Security
Data is hosted on servers operated by IDtech (or its designated sub-processor) within the European Union.
Authentication tokens are stored in the device's secure keystore (iOS Keychain via expo-secure-store; Android Keystore).
All communication between the app and our backend uses HTTPS/TLS 1.2+.
Access to the backend is restricted via role-based permissions and audited.
Passwords are never stored by the app; authentication is delegated to Keycloak (OpenID Connect).
5. Data Sharing & Third Parties
We do not sell your personal data and we do not use third-party analytics, advertising, or tracking SDKs.
Data may be accessed by:
Your host organisation (the controller — employees, guards, administrators with appropriate roles).
Apple Inc., limited to crash reports or TestFlight diagnostics when applicable (https://www.apple.com/legal/privacy/).
IDtech technical staff, only when strictly necessary for support and under confidentiality obligations.
Competent authorities, where required by law.
No data is transferred outside the European Economic Area without appropriate safeguards (Standard Contractual Clauses, Art. 46 GDPR).
6. Data Retention
Active visits: retained for the duration of the visit plus a standard audit window defined by the host organisation (typically 12 months).
Historical visit logs: retained as required by the host organisation's security and compliance policies.
User accounts: retained while the user is employed or authorised by the host organisation; deleted within 30 days of deactivation.
Security/audit logs: retained up to 24 months, then deleted or anonymised.
Retention periods may be adjusted by the host organisation in line with its legal obligations.
7. Your Rights (GDPR Articles 15–22)
You have the right to:
Access the personal data we hold about you (Art. 15).
Rectification of inaccurate or incomplete data (Art. 16).
Erasure ("right to be forgotten") (Art. 17).
Restriction of processing (Art. 18).
Data portability — receive your data in a machine-readable format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with the Belgian Data Protection Authority (https://www.dataprotectionauthority.be).
To exercise any of these rights, contact info@idtech.eu. We will respond within 30 days.
8. Account & Data Deletion (Apple App Store Requirement)
You may request deletion of your Univisit account and associated personal data at any time:
Option A — In-app: Go to Profile → Account → Request Account Deletion.
Option B — By email: Send a request to info@idtech.eu with the subject line "Account Deletion Request" and include the email address associated with your account.
Upon verification, we will delete your account, authentication credentials, and personal data within 30 days, subject to retention of minimal records required by law (e.g., security audit logs, anti-fraud, or legal obligations), which will be securely deleted at the end of the applicable retention period.
If your account is managed by your employer, certain visit records may be retained by the employer as Data Controller — we will forward your request to them where appropriate.
9. Children
Univisit is not directed at children under 16 and we do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in the app, legal requirements, or our practices. The "Last updated" date will always reflect the most recent version. Material changes will be communicated through the app.
11. Contact
IDtech SA
Belgium
Website: https://www.idtech.be
Privacy contact: info@idtech.eu
Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
https://www.dataprotectionauthority.be
Univisit Privacy Policy — IDtech SA — info@idtech.eu
Privacy Policy — Univisit
Last updated: 15 April 2026
Data Controller: IDtech SA, Belgium — https://www.idtech.be
Contact: info@idtech.eu
1. Introduction
IDtech SA ("we", "us", "IDtech") provides Univisit, a visitor management application used by organisations to schedule, check in, and manage visitors at their premises. This Privacy Policy explains what personal data we process, why, and what rights you have under the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Belgian data protection law.
Univisit is a business-to-business tool. When your employer or host organisation uses Univisit, that organisation is the Data Controller for the personal data processed through the app, and IDtech acts as Data Processor on their behalf under a Data Processing Agreement.
2. Data We Collect
Univisit processes only the data strictly necessary to manage visits:
| Category | Examples |
|---|---|
| Visitor identity | First name, last name, email address, company / organisation |
| Host information | Name, email, department of the employee receiving the visitor |
| Visit metadata | Visit purpose, scheduled date/time, actual check-in/check-out timestamps, location within the building |
| Authentication | Username, encrypted credentials (via Keycloak identity provider), role/permissions |
| Optional visitor photo | Captured at reception, only if the host organisation enables this feature |
| Device data | Device type and OS version, for security logs and error diagnostics |
We do not collect: precise location (GPS), contacts, advertising identifiers, health data, payment data, or any special category of data under Article 9 GDPR.
3. How We Use the Data (Purposes & Legal Basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Registering and managing scheduled visits | (b) Performance of a contract / (f) Legitimate interest of the host organisation in securing its premises |
| Authenticating users (employees, guards, admins) | (b) Contract / (c) Legal obligation (building security) |
| Generating and validating QR codes for check-in | (f) Legitimate interest in premises security |
| Visitor photos (where enabled) | (f) Legitimate interest in identification and access control |
| Security logs and audit trails | (c) Legal obligation / (f) Legitimate interest |
| Responding to data subject requests | (c) Legal obligation under GDPR |
We do not use personal data for advertising, profiling, or automated decision-making with legal effect.
4. Data Storage & Security
Data is hosted on servers operated by IDtech (or its designated sub-processor) within the European Union.
Authentication tokens are stored in the device's secure keystore (iOS Keychain via expo-secure-store; Android Keystore).
All communication between the app and our backend uses HTTPS/TLS 1.2+.
Access to the backend is restricted via role-based permissions and audited.
Passwords are never stored by the app; authentication is delegated to Keycloak (OpenID Connect).
5. Data Sharing & Third Parties
We do not sell your personal data and we do not use third-party analytics, advertising, or tracking SDKs.
Data may be accessed by:
Your host organisation (the controller — employees, guards, administrators with appropriate roles).
Apple Inc., limited to crash reports or TestFlight diagnostics when applicable (https://www.apple.com/legal/privacy/).
IDtech technical staff, only when strictly necessary for support and under confidentiality obligations.
Competent authorities, where required by law.
No data is transferred outside the European Economic Area without appropriate safeguards (Standard Contractual Clauses, Art. 46 GDPR).
6. Data Retention
Active visits: retained for the duration of the visit plus a standard audit window defined by the host organisation (typically 12 months).
Historical visit logs: retained as required by the host organisation's security and compliance policies.
User accounts: retained while the user is employed or authorised by the host organisation; deleted within 30 days of deactivation.
Security/audit logs: retained up to 24 months, then deleted or anonymised.
Retention periods may be adjusted by the host organisation in line with its legal obligations.
7. Your Rights (GDPR Articles 15–22)
You have the right to:
Access the personal data we hold about you (Art. 15).
Rectification of inaccurate or incomplete data (Art. 16).
Erasure ("right to be forgotten") (Art. 17).
Restriction of processing (Art. 18).
Data portability — receive your data in a machine-readable format (Art. 20).
Object to processing based on legitimate interest (Art. 21).
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with the Belgian Data Protection Authority (https://www.dataprotectionauthority.be).
To exercise any of these rights, contact info@idtech.eu. We will respond within 30 days.
8. Account & Data Deletion (Apple App Store Requirement)
You may request deletion of your Univisit account and associated personal data at any time:
Option A — In-app: Go to Profile → Account → Request Account Deletion.
Option B — By email: Send a request to info@idtech.eu with the subject line "Account Deletion Request" and include the email address associated with your account.
Upon verification, we will delete your account, authentication credentials, and personal data within 30 days, subject to retention of minimal records required by law (e.g., security audit logs, anti-fraud, or legal obligations), which will be securely deleted at the end of the applicable retention period.
If your account is managed by your employer, certain visit records may be retained by the employer as Data Controller — we will forward your request to them where appropriate.
9. Children
Univisit is not directed at children under 16 and we do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in the app, legal requirements, or our practices. The "Last updated" date will always reflect the most recent version. Material changes will be communicated through the app.
11. Contact
IDtech SA
Belgium
Website: https://www.idtech.be
Privacy contact: info@idtech.eu
Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
https://www.dataprotectionauthority.be
Univisit Privacy Policy — IDtech SA — info@idtech.eu